The General Data Protection Regulation, or GDPR, was brought in by the European Union in 2018. The intention was to update data protection laws across all member states and ensure that companies would become compliant in their handling of data. A lot of businesses, however, still see GDPR as a nuisance. In fact, it acts to protect customers and businesses alike. Here, we discuss exactly how that is the case.

Security of data

Under GDPR, the data of individuals became much better defined. Anything identifiable to an individual is their personal data, and under GDPR users have the right to know who is in possession of their data and which organisations are using it. Customers have to agree to actions being taken with their data, so they have a far greater level of control over what companies are doing with their personal information. If they don’t like what a company is doing, they can simply withdraw their consent and request that a company deletes the data. This not only protects the customer but also benefits the business in that it ensures individuals can have a greater feeling of comfort that their data is being used legitimately.

Transparency of data

Customers are also given the right to be informed of what the purpose their data is being used for, exactly what data is collected, and if there have been any data security breaches. These wide-ranging reforms, designed to allow for a much greater level of transparency, ensure that customers are not only more secure but are also more aware of what exactly their data entails. When individuals are allowed to download all of the data that international companies hold about them, they have a better idea of what their data actually is, and can get a better idea of what sort of access they want to let companies have. Customers, therefore, are more likely to be trusting of what exactly a company does, since data is no longer an abstract concept but something more tangible. Two-thirds of Europeans have now heard of GDPR, demonstrating the reach of the regulation and its impact in boosting awareness. Compliant companies are therefore likely to benefit from the implementation of GDPR.

With the implementation of GDPR across Europe, companies are now considering data to be an intrinsic part of cyber essentials. Data handling is key to modern business operations, and to ensure that your company is completely compliant, you may need expert help. CyberSmart can help make a complicated bit of regulation, much simpler with our Privacy toolbox, click here to find out more.

The introduction of the General Data Protection Regulation – a.k.a. GDPR – was introduced in 2018. This new framework standardised and updated data protection law across the European market and most importantly gave consumers more say over how their data is handled, stored and shared.

However, considering how quickly data collection and analysis technologies are developing, this legislation wasn’t a one-size-fits-all solution. Subsequently, there are a few grey areas that left many organisations feeling confused – which is risky, considering the size of the potential fines.

Now, it seems that similar legislation with its own unique nuances will appear in the United States, adding a whole new layer of data privacy legislation for companies to navigate. Here, we discuss what American data privacy law is likely to bring going into 2020.

GDPR USA – What to expect

Although data privacy is a global issue, every region is developing its own distinct regulations. Although it’s likely there will be similarities between GDPR and American data privacy legislation, currently, there are no plans for a comprehensive, nation-wide GDPR USA. Instead – much to the dismay of many international companies – every state is drawing up its own plan. Currently, the two major ones businesses need to be aware of are California’s Consumer Privacy Act (CCPA) and the SHIELD Act.

CCPA

California’s Consumer Privacy Act, or CCPA, came into force as of 1 January 2020. The legislation has similarities with GDPR, however, there are important differences. For instance, under GDPR users must opt-in to third-party data sharing whereas, under CCPA, they need to opt-out. This means companies will have to have customised terms and conditions forms for Californian users. That said, the good news is that CCPA isn’t as far-reaching as GDPR. If your company turnover is less than $25 million and you don’t handle the data of more than 50,000 then the rules don’t apply.

SHIELD Act

In July 2019 New York State passed the Stop Hacks and Improve Electronic Data Security Act (SHIELD), which will come into effect on 21 March 2020. Similarly to GDPR, this law is designed to standardise data privacy requirements. However, this is where it can get confusing; the wording of the legislation is suitably vague, with statements such as “data security should be appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers.” To add to the bill’s cryptic nature, if companies are already in compliance with historic data protection laws like HIPAA and the GLBA, they may already be compliant.

Get globally data compliant

Legislation like GDPR has global implications. With so many different laws emerging all over the world, it’s critically important that companies with international operations seek advice on data compliance and certification. Just look at some of the fines that have been dished out under GDPR – and legislation like CCPA empowers American states to enforce even heftier fines. Cyber Smart are the experts in cybersecurity compliance, and with IASME’s GDPR Readiness certification we can help your business ensure full GDPR compliance and the proper processes and policies are in place. Wherever your business operates, contact us to ensure you’re fully compliant.

The Information Commissioner’s Office (ICO) has published new guidance on how and why special category data needs to be handled more carefully.

Some types of personal data are extremely sensitive , and therefore, data controllers must take extra measures to ensure their protection. This is known as special category data and it relates to data that:

• reveals racial or ethnic origin;
• reveals political opinions;
• reveals religious or philosophical beliefs;
• reveals trade union membership;
• genetic data;
• biometric data (where used for identification purposes);
• data concerning an individual’s health;
• data concerning a person’s sex life; or
• their sexual orientation.

Leaks of this type of personal data can be extremely damaging and dangerous, just imagine if your medical records, information about your sex life or your political opinions were put into the public domain so anyone could see them. 

This has led the ICO to publish new guidance to support organisations in ensuring they stay GDPR compliant and protect the data they control. 

What does the new guidance say about how organisations should approach processing special category data?

Firstly, as always, you must have a GDPR lawful basis to process data under Article 6. However, when processing special category data you also need an Article 9 condition for the processing and potentially an associated DPA 2018 Schedule 1 condition. Many of the DPA 2018 conditions require you to have an appropriate policy document in place. This is a short document that should outline your compliance measures and retention policies with respect to the data you are processing. 

There is more to do when processing special category data, but the provisions are in place to help you protect the data of those whose information you hold, and increase your customers’ confidence in you. 

Data protection obligations got you in a muddle? Get on top of them quickly and easily with the CyberSmart Privacy Toolbox.